Classic ASP is the old server-side web scripting technology based on VBScript, now superseded by ASP.NET, which lots of developers, including myself, learned to hate in the nineties when, for mysterious reasons, a certain customer decided he needed the whole "Enterprise" Microsoft 3-tiers stack (IIS/COM+/SQL Server). Luckily enough, nobody asks you to build anything new using ASP these days (even though there's always some insanely unmaintainable VBScript code out there which badly needs maintenance), but this technology, albeit agonizing, yet found a way to come back and make me sad again.

Even though it's not very clear from that piece of writing, the issue at hand is quite simple but, in my opinion, outrageously stupid and annoying. I'm gonna call it "HomoXSSuality" (even though most LGBT people I know is neither simple, nor stupid nor annoying), because homoglyps and homophones conspire to make XSS (and SQL injection) attacks easier to pull.

Like any other server-side web programming framework, ASP gives developers some means to extract "parameters" (name/value pairs) from the HTTP requests, stored either in the query string or in the POST data. For instance, if an ASP script is invoked using the URL http://some.site.com/my_heroes.asp?name=Giorgio%20Maone&hero=%E1%BD%99%CF%80%CE%B1%CF%84%CE%AF%CE%B1, parameters can be extracted by code like this:

Dim Name, Hero
Name = Request("name")
Hero = Request("hero")

At runtime, the Name variable will contain "Giorgio Maone", while Hero will be set to "á½™Ï€Î±Ï„Î¯Î±". This contrived example show also how "special" characters, such as space or Greek alphabet letters, are escaped by standard percent encoding, i.e. by taking the UTF-8 hexadecimal representation of the string and prefixing each byte with a "%" character: specifically, â€œ â€ translates to â€œ%20â€, and "á½™Ï€Î±Ï„Î¯Î±" to "%E1%BD%99%CF%80%CE%B1%CF%84%CE%AF%CE%B1". This is the translation you can obtain from the encodeURIComponent()ECMAScript function, and the recommended way of escaping URLs.
An older and never standardized method, implemented by the now deprecated JavaScript escape() function, produces more or less the same output for ASCII strings, but uses the UTF-16 representation prefixed with "%u" for higher (beyond ASCII) Unicode strings: for instance, â€œ â€ still stays â€œ%20â€, but "á½™Ï€Î±Ï„Î¯Î±" becomes "%u1F59%u03C0%u03B1%u03C4%u03AF%u03B1".

NoScript's Anti-XSS filter, while processing HTTP requests, does recognizes and properly handle both these encoding styles, and many more. Any web security filter should be able to do it, because web applications usually consume data that has been automatically decoded by their runtime environment.

But Classic ASP adds a perverse twist to its parameter decoding routines. The Request() API apparently assumes that developers and/or browsers and/or users are too stupid to handle non-ASCII Unicode characters (e.g. greek alphabet letters) by themselves, thus it tries to protect them from such execrable things by automatically translating any non-ASCII character into the ASCII counterpart which resembles it the most; when no suitable replacement can be picked, with either "?" or "ï¿½" (arbitrarily, it seems). So "%u1F59%u03C0%u03B1%u03C4%u03AF%u03B1", rather than "á½™Ï€Î±Ï„Î¯Î±", becomes a quite ugly "?pat?a". As you can see, while the replacement choice is mainly homoglyphic (Î±â†’a, Ï„â†’t), it may also follow homophonic criteria (Ï€â†’p).

To figure out the whole range of Unicode-ASCII transliterations performed by ASP, I needed to write an ad hoc program mixing VBScript and JavaScript, and I also used it to automatically generate the ASPIdiocy.js mappings file that can be found in recent NoScript packages.

As you can see in the end, I could list 3 different homoglyphs for < (less than, ASCII 0x27) and 5 for ' (apostrophe, ASCII 0x3c). Anybody with a bit of familiarity with XSS or SQL injection has already guessed where I'm going...

which, if echoed back, is executed as a JavaScript block by web browsers.

Any "sane" web server runtime (either a recent IIS with ASP.NET or Apache with PHP/Python/Ruby, or a Java Servlet Container, or you pick yours) either leaves the %u... stuff alone (because this escaping style is deprecated), or translates the whole into

which obviously has no other meaning than "funny text", to any decent web browser.

This undocumented (AFAIK) Classic ASP "feature" (which was sooo good and smart that Microsoft itself dropped it in ASP.NET) can severely screw up with any anti-XSS filter. It does with Google Chrome's, it does not with Microsoft IE8's (unsurprisingly, since the original mess came from Redmond), it does not anymore with NoScript's, since version 2.0.2rc2.

So, how many WAFs out there can actually resist when HomoXSSuality calls?

This entry was posted on Tuesday, August 17th, 2010 at 7:35 pm and is filed under XSS, SQL, Mozilla, Security, NoScript. You can follow any responses to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

If you cannot see why someone could interpret "homoXSSuality" as a bit homophobic then I think you're naive.

The reason is very simple:
You write very negatively about something then naming it very similarly to "homosexuality" thus creating a link between all the negativity and homosexuality.

The name being so similar creates this insinuation.

Going further (and hopefully incorrectly), one can interpret the reason of the name to be that the writer assumed the readers thought "homosexuality == bad" and thus made a name close to homosexuality to transfer the reader's negative feelings towards homosexuality to homoXSSuality.

Plus, your blog posts are shown on a planet and you can't expect everyone reading the planet to have read your previous posts or knowing your stances in matters like these or even read the post's comments.

@meh:
Thanks for your kind explanation.
OTHO, I would never give up a catchy pun like this to go after people totally lacking any sense of humor, irony and proportions. Fortunately all my LGBT acquaintances have these three qualities in great abundance.

I can see (and somewhat agree with) the arguments against the name, and the "I have $MINORITY friends" defense has never exactly carried all that much weight. That said, given the nature of how the attack works, I can also see how it'd be hard to come up with a different nickname that's still as memorable.

This name adds the information that the "feature" cvonsitst in a insensitivity to (almost) homographic or homophonic characters. And it is distant enough to homosexuality, at least I feeel so (but English is not my mother tongue ...)

I don't know what self-annointed pseudo-psychologist first decided to chide those expressing or implying a distaste for homosexuality by calling them "homophobic", but every time I read or hear that asinine term, I want to slug 'em! Dislike or distaste is NOT fear -- and don't even start trying to anal-yze the roots of aversion, stating that it comes from fear. To wit: I like okra, including the boiled stuff. Some people hate it cooked that way, because it's slimy. Do they fear it? I daresay no, but they find it distasteful. The same applies to many, if not most people's reactions to homosexual practices. That is normal, in the strictest sense of the word, and nothing is ever going to change that. Period.

@Joe Blow:
While I find your anal-yze pun quite childish (do you feel the urge of inserting vaginal puns every time you talk about heterosexuality? you surely know that many "straight" people enjoy anal sex, right?), your okra analogy is plain wrong, as it doesn't account for the violent discrimination people around the world are victim of because of their sexual orientation or gender identity.

Just because people hates okra (even if it was the majority), nobody legislates against cajun cuisine, or restricts okra eaters from getting married, or beats them savagely and cuts thembecause they dare to kiss in public, or tries to "heal" them, or proclaims that they're gonna burn in an imaginary hell because an imaginary god hates them, or directly sends them to their imaginary hell by real lapidation or hanging...

weather homophobic or not the auther has the right to call it whatever he likes, the problem is in your head and not in the name.Because you are doing something that 90% of people on Earth see as disgusting (GLT) and dislike, you are paranoid and see everything as homophobic.
Keep the name. Change minds.

Dude, change the name. It's ridiculously inane; I don't care how many of your friends are gay (which, of course, is how every modern bigot starts every bigoted comment). You already knocked one knuckle-dragger out of the wood work, and you're sure to get more.

Maybe some people should just get used to seeing stuff that the Rapsinger calls bad a lot more. Their phobias might be manageable with constant exposure to fear-triggers. Other threads hosted here have shown that there is a very phobic, if small, subset of contributors that might benefit from even more desensitisation.

And while on the topic of misapprehensions about who fucks whom with what and how, I get so tired of the dumb misapprehension, evident in this thread, that the "homo" part of homosexuality is the Latin "homo" meaning "man". It's the Greek "homos" meaning "same".

Well, Giorgio - Did you wet your finger and hold it up to gauge which way the wind was currently blowing before you decided to deride my "childish" pun ("anal-yze")? You were the one who sparked off this whole ass-inine (get it? ;P) exchange by coining the term "HomoXSSuality", which, I have little doubt, you knew implied the attachment of a critical or derisive connotation to "homosexuality".
Furthermore -- don't even attempt to extrapolatively affix some kind of persecutionality to me or my attitudes -- which you know almost nothing about, except the fact that I think the term "homophobic" is puerile, and am quite disdainful of those who can't focus their minds, their passions, and their argumentative thrusts precisely enough to stay sufficiently coherent so as to refrain from tagging anyone who points out the fact that homosexual practices like buggery and fellatio, etc., are repellant to most non-homosexuals with such an epithet.
You can NOT infer from my earlier post any of the negativity you seem to want to attribute to me pertaining to persecution of homosexuals, and the like. What I was saying was that the term "homophobic" is predominantly used pejoritavely (and incorrectly, as pointed out by AnonymousCoward: "...the "homo" part of homosexuality is... the Greek "homos" meaning "same") by those who feel over-weeningly righteous in assuming a politically-correct posture in defense of homosexuals.
Last year, I signed an online petition demanding that any form of persecution or restriction of constitutional rights of homosexuals in the US be added to the federal list of hate crimes. I think consenting adults should be left entirely alone, when it comes to their private lives - in all ways. I couldn't care less, one way or another, who does whom, and in what way. That still doesn't change the fact that "normal" people -- meaning those who belong to the statistically predominant group in our society, based on their attitudes and/or behavior -- tend to feel rather disgusted when they think of men sucking each other off or screwing other dudes in the ass (with the corresponding acts pertaining to women making them queasy, as well). That is a fact, based both in nature and nurture. I didn't cook that up, I've simply made note of it, over the decades, and stated it here.
If one feels that it is incumbent on them to try to alter their own "instinct", or their indoctrination, in order to more closely conform to what they perceive to be a more ethical or humane outlook - more power to them. That is strictly personal. Just keep your sophomoric "homophobe" appellation to yourself, and stop labelling others you poorly know or understand with such a childish term.
So -- get off your high horse, and deal with what I've expressed as a personal opinion... and don't you dare try to make me out to be some fucking queer-hating villain. I have no doubt that God loves fags and dykes just as much as anyone else: we are all spiritual beings and were created out of divine love. So stick that in your pipe and fire it up!

Giorgio - that was just an example dude. You obviously need to apply it properly in each specific instance. For example, you shouldn't need a newline in a first name field, but you may in an address field. Thus the potential valid characters for each might be different (unless you have numbers in your first name). You can easily chain several rules together for each specific input field to ensure that all valid characters are accepted. This requires a deep understanding of each parameter accepted by the application. My point was just that ModSecurity (and I'm not talking about the Core Rule Set, just the ModSecurity rules language) has the flexibility to deal with this. Having said that, this was an awesome discovery.

Jo Blow, you can have those obsessive, twisted trigger images given the perspective of kindness and humanity that no church is able to provide.
The fear and loathing is so bad that even your nick has to be a sad pun on the mechanics of sexual activity. The fear you display is so strong that it's not at all unexpected that you would be in such denial. Phobias are cureable. Seek help.

Maone's pun has context, playfulness and several layers of meaning that have nix all to do with any kind of specific sexual activity. And all that from someone whose first language isn't English.